search

st-tech / gatling-operator

Automating distributed Gatling load testing using Kubernetes operator
MIT License
68 stars 21 forks source link

Fix Security Issue - gogo protobuf #46

Closed yokawasa closed 2 years ago

yokawasa commented 2 years ago

Description

To fix security issue

https://github.com/st-tech/gatling-operator/security/dependabot/1

Package Affected versions Patched version
github.com/gogo/protobuf < 1.3.2 1.3.2

Test

Trivy vul scan results comparision

trivy scan result on gatling-operator-v0.5.1 (before fixed)

trivy image --ignore-unfixed --severity HIGH,CRITICAL  gatling-operator:v0.5.1
2022-03-30T13:25:51.654+0900    INFO    Detected OS: debian
2022-03-30T13:25:51.655+0900    INFO    Detecting Debian vulnerabilities...
2022-03-30T13:25:51.656+0900    INFO    Number of language-specific files: 1
2022-03-30T13:25:51.656+0900    INFO    Detecting gobinary vulnerabilities...

gatling-operator:v0.5.1 (debian 11.3)
=====================================
Total: 0 (HIGH: 0, CRITICAL: 0)

manager (gobinary)
==================
Total: 1 (HIGH: 1, CRITICAL: 0)

+--------------------------+------------------+----------+-------------------+---------------+--------------------------------------+
|         LIBRARY          | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                TITLE                 |
+--------------------------+------------------+----------+-------------------+---------------+--------------------------------------+
| github.com/gogo/protobuf | CVE-2021-3121    | HIGH     | v1.3.1            | 1.3.2         | gogo/protobuf:                       |
|                          |                  |          |                   |               | plugin/unmarshal/unmarshal.go        |
|                          |                  |          |                   |               | lacks certain index validation       |
|                          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3121 |
+--------------------------+------------------+----------+-------------------+---------------+--------------------------------------+

trivy scan result on gatling-operator-v0.5.5 (after fixed)

trivy image --ignore-unfixed --severity HIGH,CRITICAL  gatling-operator:v0.5.2
2022-03-30T13:55:50.179+0900    INFO    Detected OS: debian
2022-03-30T13:55:50.179+0900    INFO    Detecting Debian vulnerabilities...
2022-03-30T13:55:50.181+0900    INFO    Number of language-specific files: 1
2022-03-30T13:55:50.181+0900    INFO    Detecting gobinary vulnerabilities...

gatling-operator:v0.5.2 (debian 11.3)
=====================================
Total: 0 (HIGH: 0, CRITICAL: 0)

manager (gobinary)
==================
Total: 0 (HIGH: 0, CRITICAL: 0)

Running test

I confirmed that gatling operator runs as expected throughout gatling load-testing

here is the test procedure

# create kind cluster
make kind-deploy
# deploy gatling operator-v0.5.2 to kind cluster
make kind-deploy
# deploy sample gatling CR to the cluster
make kind-sample-deploy
yokawasa commented 2 years ago

@tippy3 thank you for the review. I'll go ahead to merge this as it's better to fix the issue as quickly as possible